Slashdot Mirror
FBI Password Database Compromised by Consultant
LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)
"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."
These are the people protecting me from terrorists? Scary, very scary.
Slashdot Burying Stories About Slashdot Media Owned
re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.
Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.
Really, seriously, you do not crack passwords to get your work done. You crack passwords to ensure site security if it is part of your job description, but you do not use those accounts to get work done. Cripes.
-- dieman - Scott Dier
Just poor wording on the part of the author. Colon may have been provided access to the database by that FBI employee, and used a Perl script or any of several apps that can do their own SQL-connections to pull the data, only part of which would have been the hash.
And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.
You can never go home again... but I guess you can shop there.
is your sister single? hot?
Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
Good thing this guy pleaded guilty. Otherwise, someone might ask uncomfortable questions, like why FBI agents were active participants in this criminal act. The whole problem would have been averted if someone didn't give their username and password to this guy.
Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.
One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.
Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.
How about FORCING the morons that end up as department heads and executives to use secure passwords?
A dictionary attack.... OMFG!
If the director had a secure password then it would not have been a big deal.
Listen kids, Big98Boob$-311 as your password is pretty damned secure and makes a dictionaty attack useless against it.
Next question, WTF is the feds doing not using securID on all of their logins to eliminate such a problem??
Do not look at laser with remaining good eye.
Employers need to be more careful about whom they hire and what their employees are doing.
In the U.S. the workplace has developed an adversarial relationship between employers and employees. The mantra, "nothing personal, this is just business" has removed the major factor stopping employees from screwing over their employer. If it is just business when an employer lies to the employees, fires them when they need a boost in the numbers, outsources their job, cancels benefits, or takes other action that affects the employees negatively then it is also just business when the employee lies to the employer, walks off with equipment, moves to another job at a bad time without giving any notice, or loots the database for info they can sell.
You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears. Do you want your employees to be loyal and honest? I certainly recommend checking up on each one, but more importantly, treat them well and with concern. Make sure they know, even if they screw up they won't be fired. Make sure they know you're doing the best you can to provide them with a reasonable income, friendly workplace, and what they need to be happy. Make sure you reward their good works. Make sure that if they run into money troubles you're the first person they talk to. Make sure they know you respect them. This is not only ethical, it is good business.
So one hash file gives him access to all FBI records, including the most sensitive? No offense, but why aren't the most sensitive of services protected by isolating them in a separate system? Compromising the witness protection program could endanger the lives of everyone protected by it, and just the ideas that it might be compromised could reduce the chances of people helping the FBI and testifying.
Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.
I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?
It doesn't hurt to be nice.
With apologies to Bash.org
It only appears as Big98Boob$-311 to you since it's your password. To me it just looks like **************
Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
The FBI illegally obtains our information, why can't we illegally obtain theirs?
Haiku for you!
The flip side to the dumb arbitraryness of govt work is that you will never get in trouble if you follow the rules. This guy should of just billed the extra time to set up printers and been happy he had a job. What an idiot.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
This guy not only cracked his employer's passwords (many of whom probably have high security clearance), but he actually logged into them routinely and used them as part of his workflow for nearly a year. Hello?
Compare that to the clearly less harmful actions of Randal Schwartz, who went gray-hat (one time, without using the logins, as a security warning). Three felony convictions and a rather severe sentence.